Asp.Net MVC: requests with too long URLs and error handling
By checking my elmah log, I see I keep receiving "too long url" requests. The error is:
System.Web.HttpException (0x80004005): The length of the URL for this request exceeds the configured maxUrlLength value.
at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)
Here is the kind of requests I receive:
/index.php/blog/post/the_ten_deceptions_of_the_datetimepicker/+[PLM=0]+GET+http:/www.visualhint.com/index.php/blog/post/the_ten_deceptions_of_the_datetimepicker/+[0,23778,23037]+->+[N]+POST+http:/www.visualhint.com/index.php/blog/post/the_ten_deceptions_of_the_datetimepicker/+[0,0,2007]
(don't be surprised by the php thing... before being an asp.net mvc site, my site was in php and now I need to redirect this kind of old URLs to my new url format, which works well when the url stops at /index.php/blog/post/the_ten_deceptions_of_the_datetimepicker)
What could generate these requests? Does it sound malicious?
I have custom errors setup, so I though such a request would be redirected to my custom error page, but it's not. Instead, people get the typical yellow screen (firebug开发者_开发问答 mentions this is a 400 Bad Request). If you look at the above stack trace, it is very short and the exception seems to be caught very early (Application_BeginRequest is not even called). Is it possible to show my custom error page or can I at least redirect to my homepage when such an exception occurs?
I tried adding a line for error 400 in my web.config:
<customErrors mode="RemoteOnly">
<error statusCode="400" redirect="/" />
</customErrors>
This redirects to the homepage right, but it adds the complete url in an aspxerrorpath query string value.
Thanks for your help.
A google search helped me find that some other people get this kind of request. Someone answered with:
I am pretty sure it is an automated way of submitting spam. There must be an error in the configuration because it should not leave such a juicy trail in the referrer field!
First it tells some script to get an URL, then it instructs to post to an URL (it is easy to block spam that POSTs directly without getting first).
The numbers could be relating to what spam message(s) to post (think of it as indexes in a spam DB).
So, since there are good chances that these requests are not from humans following normal links, I ended up with the following solution. This avoids polluting my elmah log and this serves a blank page to the caller with a 404 code:
public void ErrorLog_Filtering(object sender, ExceptionFilterEventArgs e)
{
HttpException hExc = e.Exception.GetBaseException() as HttpException;
if (hExc != null)
{
if (hExc.ErrorCode == unchecked((int)0x80004005))
{
e.Dismiss();
return;
}
}
// Here I do some stuff if the error has to be logged.
}
void Application_Error(object sender, EventArgs e)
{
Exception exc = Server.GetLastError();
HttpException hExc = exc as HttpException;
if (hExc != null)
{
if (hExc.ErrorCode == unchecked((int)0x80004005))
{
Uri uri = HttpContext.Current.Request.Url;
Response.Clear();
Response.StatusCode = 404;
Response.End();
Server.ClearError();
}
}
}
Instead of returning a 404 code, I would have preferred to not send a response (the caller would have a timeout) but is it possible with asp.net? No idea...
精彩评论